Azure App Service - Single AppRole across Services

Pat Long 36 Reputation points
2022-01-26T09:46:52.347+00:00

I have an ASPNET Core Web Site called Web-App-1 and an ASP NET Core Web API called Web-Api-1.

There is functionality in Web-Api-1 that I want to secure so that it can only be called by certain users.

I also want to know in the Web-App-1 if the current user can call the secure functionality and if not I will not offer them the chance to do so.

I can satisfy requirement 1 by adding an AppRole to the api's App Registration in AzureAd and checking the ClaimIdentity for that app role. 

if (this.ControllerContext.HttpContext.User.HasClaim(
    System.Security.Claims.ClaimsIdentity.DefaultRoleClaimType,
    "SecuredApiFunctionality") == false)
{
    return new UnauthorizedObjectResult("User does not have SecuredApiFunctionality role");
}

However when I look in the claims for that user within the context of Web-App-1 I cannot see "SecuredApiFunctionality". I assume this is because it is an AppRole belonging to Web-Api-1 and I am in Web-App-1.

I could define a second AppRole in Web-App-1 and setup priviledges to that too but that sounds like duplication to me. Is there a way of securing the API and the Web App using only one role?

I've posted this question on stackoverflow too but haven't got any traction there. If i get an answer on here i'll post it up on there

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,158 questions
ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,253 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,458 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2022-01-28T20:42:50.72+00:00

    Hi anonymous user,

    I understand that you want to share a single AppRole between your Web API and web application.

    I do not believe that this is possible because both the Web API app and web application would fall under the category of an app service, and Application Roles are meant to be very specific to the application they are defined for. Behind the scenes these would operate mostly the same in Azure since it sounds like you have two separate apps and app registrations.

    Just to make sure though I have reached out to the product team to confirm if there is any way to accomplish this, and will update you if they have a solution. There was a similar question asked in Stack Overflow in 2020, and some workarounds were offered.

    If you would like to make a feature request for the ability to share the app roles across multiple applications, you can create one in the Ideas forum and share the link so that I can bubble it up. https://feedback.azure.com/

    See also: Manage Azure AD App roles across many applications

    Thanks,

    Marilee

    1 person found this answer helpful.
    0 comments